F-Response Live Physical Memory + X-Ways Forensic 16.2 Preview 4

Sep 27, 2011

Over the past few years we've developed very good working relationship with X-Ways and Stefan Fleischmann. In fact just today I received word from Stefan regarding a new feature available in X-Ways Forensic 16.2 Preview 4 (due out in October), specifically:

"If main memory is represented as a physical disk, for example because it is the RAM of a remote computer accessible via F-Response or because it is an raw memory dump or .e01 evidence file with a memory dump interpreted as a physical disk, it is now possible to open a 'volume' from within the 'physical disk' in which X-Ways Forensic offers its main memory analysis."

Now, to put this in layman terms, F-Response Live Memory can be explored using X-Ways Forensic (starting with 16.2 Preview 4) without imaging.

Remarkable!

I immediately downloaded the latest preview release, deployed and connected to physical memory on a remote F-Response Target, and opened up X-Ways, the end result was a new volume labled "RAM" that I could open and explore.

F-Response Live Memory as seen by X-Ways Forensic 16.2 Preview 4

In addition here is a brief video where I show the process, it's remarkably simple and straight forward, kudos to Stefan and the team at X-Ways.

 

Thanks and enjoy!

Warmest Regards,

M. Shannon, Founder

F-Response

September 27, 2011